US20170099176A1 - Containerized architecture to manage internet-connected devices - Google Patents
Containerized architecture to manage internet-connected devices Download PDFInfo
- Publication number
- US20170099176A1 US20170099176A1 US15/270,948 US201615270948A US2017099176A1 US 20170099176 A1 US20170099176 A1 US 20170099176A1 US 201615270948 A US201615270948 A US 201615270948A US 2017099176 A1 US2017099176 A1 US 2017099176A1
- Authority
- US
- United States
- Prior art keywords
- management
- gateway
- management server
- iot
- sensor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/04—Network management architectures or arrangements
- H04L41/046—Network management architectures or arrangements comprising network management agents or mobile agents therefor
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
-
- H04L67/42—
Definitions
- IoT Internet of Things
- IoT Internet of Things
- Emerging examples include sensors, security devices, household appliances, entertainment components, and personal electronics, but the Internet of Things could include any physical object.
- IoT devices may be configured to sense the physical environment, may comprise edge devices that perform data acquisition from the physical environment, and/or may change the physical environment, among other activities. IoT devices may communicate over IP(v6) and/or other protocols.
- FIG. 1 is a block diagram illustrating an embodiment of a system to provide containerized management of network connected devices.
- FIG. 2 is a block diagram illustrating an embodiment of a system to provide containerized management of network connected devices.
- FIG. 3 is a flow chart illustrating an embodiment of a process to provision and configure an IoT gateway.
- FIG. 4 is a flow chart illustrating an embodiment of a process to provide security posture and/or policy-based access to backend services.
- FIG. 5 is a flow chart illustrating an embodiment of a process to perform security posture and/or policy-based management and configuration of resources comprising or other associated with an IoT gateway.
- FIG. 6 is a flow chart illustrating an embodiment of a process to perform policy, security, and/or context-based processing of data at an IoT gateway or other edge device.
- FIG. 7 is a block diagram illustrating an embodiment of a system to provide containerized management of network connected devices.
- FIG. 8 is a block diagram illustrating an embodiment of a system to provision and configure an IoT gateway and/or associated resources.
- the invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor.
- these implementations, or any other form that the invention may take, may be referred to as techniques.
- the order of the steps of disclosed processes may be altered within the scope of the invention.
- a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task.
- the term ‘processor’ refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions.
- a containerized architecture to manage Internet-connected client devices such as IoT devices
- containerization technology provides an isolated, resource controlled, and portable environment in which to run apps, applications, or other code.
- sensors or other IoT devices may be managed and provided network connectivity via an IoT gateway. Sensors may be virtualized, be managed, including by controlling access to such sensors by IoT or other applications and services, and a secure identity may be provided to each sensor.
- An “edge agent” or other software may be installed on an IoT gateway to provision, secure, and manage the gateway, associated sensors, and applications installed on the gateway.
- the applications may comprise “smart” applications configured to use sensors associated with the gateway to invoke and use sensors, such as to gather data. Sensors may be invoked via specialized software, sometimes referred to herein as containerized “sensor drivers”, which may be configured to provide secure (controlled) access to sensor via a consistent API or other interface, regardless of the physical sensor.
- a containerization architecture such as the Linux Containers (LXC) running on LinuxTM operating system, may be used to provide a resource controlled environment for isolation.
- smart or other IoT apps, sensor drivers, and the edge agent may each run in a separate container on the IoT gateway.
- the edge agent may run in a container have higher level privileges and may be configured and used, via a remote Enterprise Mobility Management (EMM) or other management server, to manage and control the installation of sensor drivers, apps, and other resources on the IoT gateway, and to configures such apps and other resources to implement policies set by an administrative user.
- EMM remote Enterprise Mobility Management
- the apps may be configured to access backend services, such as IoT services, enterprise app services, etc., only via a security proxy.
- the security proxy may be configured to provide access according to configuration and/or state information, including gateway and/or other security or other posture information.
- FIG. 1 is a block diagram illustrating an embodiment of a system to provide containerized management of network connected devices.
- integrated device management system and environment 100 includes a management server 102 , e.g., an enterprise mobility management (EMM) or other server configured to manage IoT devices, applications, and services as disclosed herein.
- management server 102 also performs mobile device management with respect to mobile devices 104 , which may include smartphones, tablets, laptops, or other mobile computing devices.
- a uniform user interface may be used to control front-end devices by using EMM for IoT.
- management server 102 may manage mobile devices 104 by performing one or more of facilitating or requiring device registration; configuring devices and/or applications or other resources installed thereon; installing, provisioning, and/or configuring a management agent (e.g., a management application or app) on the device; and receiving, determining, and/or processing security or other state information to determine a security posture of each device 104 .
- Management server 102 may interact with security proxy 106 to provide managed access to backend services 108 .
- backend servers on an enterprise network may provide enterprise services 108 .
- Security proxy 106 may be configured to provide secure access to backend services 108 by users of devices 104 .
- each device 104 access may be managed (e.g., provided without restriction, provided subject to restrictions, or blocked) by security proxy 106 based on state and/or context information, including by way of example and without limitation a security posture of the device 104 as indicated by management server 102 , a global security state or information, and context information such as time of day, current geographic location of the device 104 , etc.
- state and/or context information including by way of example and without limitation a security posture of the device 104 as indicated by management server 102 , a global security state or information, and context information such as time of day, current geographic location of the device 104 , etc.
- management server 102 and security proxy 106 in addition manage IoT devices associated with an IoT gateway 110 .
- IoT gateway 110 serves as a gateway node for a plurality of associated sensors 112 .
- Sensors 112 may include any physical sensing device, including without limitation environmental (e.g., temperature, wind) sensors; optical sensors, such as a camera or photodiode; audio sensors, such as a microphone; smell sensors; vibration or other motion detector; seals or other tamper detection devices; biometric input devices such as hand, retina, and fingerprint scanners; and manual input devices such as buttons, knobs, levers, keypads, etc.; or any other device capable to detecting a value or event taking place in a physical space in which the device is located and/or capable of being altered by or altering a physical environment in which the device is located.
- management server 102 and security proxy 106 cooperate to provide managed access to IoT services 114 .
- access to devices 112 may be managed at least in part by installing on IoT gateway 110 and configuring one or more apps configured to control one or more of sensors 112 ; consume data or other output or signal data generated by sensors; and/or interact via sensors 112 with a physical space in which sensors 112 may be located.
- Security proxy 106 may be configured to terminate a secure connection, such as a tunnel connection, to the gateway 110 and/or one or more applications or other entities installed on gateway 110 .
- Security proxy 110 may be configured to use secure connections to backend IoT services 114 to proxy connections and/or communications between apps on gateway 110 and backend IoT services 114 .
- IoT services 114 may include, without limitation, services that consume and use data generated by sensors 112 to expose related (e.g., reporting, monitoring, analysis) services to client devices and/or systems associated with users of such services 114 .
- temperature sensors 112 may be used to monitor the temperature in a plurality of physical locations, each associated with a corresponding IoT gateway 110 .
- Apps on the respective gateways 110 may report data to a corresponding IoT service 114 via security proxy 106 .
- the IoT service may analyze the data, aggregate and report the data, generate alerts based on the data, etc., and provide related information or other services to local or remote client devices and systems (not shown in FIG. 1 ).
- access by apps running on IoT gateway 110 to backend IoT (or other) services 114 may be managed by security proxy 106 in the same way (or similar ways) as access by mobile devices 104 to enterprise services 108 .
- access may be managed at least in part by enforcing one or more policies, including without limitation by taking into consideration sensor and/or gateway security or other state or posture information, threat detection from anomalous sensor data behavior, and context data such as time of day, day of the week, etc.
- FIG. 2 is a block diagram illustrating an embodiment of a system to provide containerized management of network connected devices.
- management server 202 and security proxy 206 cooperate to provide managed access to IoT services 214 by apps, sensors, and/or other resources comprising and/or otherwise associated with IoT gateway 210 .
- IoT gateway 210 has installed thereon a management agent identified in FIG. 2 as edge agent 220 .
- Edge agent 220 may be installed on IoT gateway 210 by/from an app store, which may be hosted on management server 202 in some embodiments, and configured by management server 202 to be used to manage other resources on and/or associated with gateway 210 as disclosed herein.
- gateway 210 may comprise a lightweight computing device comprising one or more processors; memory devices; power modules and components such as batteries, power supplies, etc.; communication buses and connections; physical ports and traces or wires to connect such ports to other components; etc.
- gateway 210 may be a Raspberry PiTM or similar lightweight, low cost computing device.
- Edge agent 220 is configured in various embodiments to install, configure, and manage apps installed on gateway 210 , such as IoT smart apps 222 and sensor drivers 224 in the example shown.
- Sensor drivers 224 each may comprise a specialized app that performs security, admin, and management functions beyond those performed by traditional driver software.
- sensor drivers 224 are configured to provide access to a corresponding one or more of sensors 226 via a consistent, easy-to-use, well-published API or other interface.
- Sensor drivers 224 may provide to apps 222 secure and/or managed access to sensors 226 and/or data provided by sensors 226 .
- sensor drivers 224 may prevent apps 222 from altering a configuration or operation of sensors 226 .
- edge agent 220 may configure sensor drivers 224 to configure, operate, and/or manage access to sensors 226 in a manner specified by a policy or other configuration data, such as administrative commands entered via an interface of management server 202 .
- Sensor drivers 224 may serve as an input/output multiplexer for physical port (not shown in FIG. 2 ) of gateway 210 .
- Sensor drivers 224 may allow administrative commands, policies, etc. to be used to control which business apps are allowed to communicate with which sensors.
- sensor drivers such as sensor drivers 224 may be downloaded from an authorized (e.g., enterprise-managed) app store, and may be updated and/or managed in the same manner as other apps.
- Edge agent 220 , smart apps 222 , and sensor drivers 224 each may comprise a containerized application running in a container provided on gateway 210 using a containerization platform, architecture, and/or technology, such as Linux Containers (linuxcontainers.org).
- Edge agent 220 may comprise a privileged containerized application.
- edge agent 220 may run in a container that includes capabilities required to manage apps 222 and/or sensor drivers 224 , as disclosed herein.
- each containerized application (e.g., edge agent 220 , apps 222 , and drivers 224 ) runs on top of an operating system 228 , such as the LinuxTM operating system.
- managed apps 222 may be configured to provide to IoT services 214 , via security proxy 206 , data comprising and/or derived from output of sensors 226 .
- data may be aggregated, filtered, selectively reported, compressed, encrypted, and/or otherwise pre-processed by one or more of apps 222 , resulting in less data and/or value added data being communicated to IoT services 214 , resulting in consumption of less network communication and backend storage and processing resources than may have been required or consumed absent such pre-processing.
- sensor drivers 224 may be configured to detect tampering, failure, or other state or context data affecting sensors 226 .
- sensor drivers 224 may be configured to report such information to management server 202 , which may in response update a security posture and/or other state and/or context data associated with the affected sensor, the gateway 210 , and/or applicable ones of apps 222 installed thereon.
- apps 222 may be prevented from sending to IoT services 214 data obtained from a potentially compromised sensor 226 , either by changing the behavior of the app 222 (for example, by using edge agent 220 to change the app's configuration data) or by blocking or stripping such data at security proxy 206 , e.g., in response to security posture information received from management server 202 .
- FIG. 3 is a flow chart illustrating an embodiment of a process to provision and configure an IoT gateway.
- the process of FIG. 3 may be implemented by a management server, such as management server 102 of FIG. 1 or management server 202 of FIG. 2 , to provide an IoT gateway device, such as gateway 110 of FIG. 1 or gateway 210 of FIG. 2 .
- an IoT gateway is pre-registered ( 302 ).
- an administrative user may use a web-based or other interface of a management server, such as management servers 102 and 202 , to create a record of the gateway; assign to the gateway a corresponding identity, such as a certificate; associate the gateway with one or more groups, designations, and/or configuration/management policies; etc.
- the pre-registered gateway is deployed, e.g., to an associate physical location, and connected to the management server, e.g., via a wireless, wired, or other network connection available at the physical location to which the gateway has been deployed ( 304 ).
- physical custody and control of the gateway may be maintained very careful, to ensure the gateway is not tampered with en route to being deployed at a destination physical location.
- the management server is used to install an edge agent on the gateway ( 306 ).
- an edge agent for example, a native management agent of the gateway, if present, may be used to install and configure the edge agent.
- an administrative user account and/or credential may be used to install the edge agent.
- the edge agent may be configured automatically, e.g., to enforce one or more policies associated with the gateway at the management server.
- the gateway is provisioned ( 308 ).
- an image or other encapsulation of an IoT gateway as disclosed herein may be downloaded and installed on a hardware device comprising the gateway.
- An operating system may be installed, configured, and/or brought under management.
- the IoT gateway disclosed herein may itself be a containerized application, such as a Linux container, within which a other containerization environment is run that includes containerized apps such as smart IoT apps and/or sensor drivers.
- provisioning the gateway may include one or more of providing an identify, such as via a certificate, providing policy and/or configuration data to be enforced locally, connecting the gateway to an associated security proxy, etc.
- containerized apps such as IoT smart apps, and sensor drivers
- IoT smart apps may be installed and configured on an IoT gateway as disclosed herein.
- the management server and edge agent may cooperate to install one or more smart apps and/or one or more sensor driver apps on the gateway, and to configure such apps according to applicable policies.
- the smart apps and/or sensor drivers each may comprise a containerized app that is downloaded to the gateway in the form of a containerization-friendly binary image or similar encapsulation, obtained from an associated universally accessible resource such as an image registry, such as one installed on and/or otherwise associated with the management server.
- FIG. 4 is a flow chart illustrating an embodiment of a process to provide security posture and/or policy-based access to backend services.
- the process of FIG. 4 may be implemented by a security proxy, such as proxy 106 of FIG. 1 or proxy 206 of FIG. 2 .
- IoT gateway (and/or associated) posture information is received ( 402 ).
- a security proxy may receive posture information from a management server.
- the management server may notify the security proxy 106 of the updated posture of the gateway. If the gateway is/remains fully compliant ( 404 ), the security proxy (or other node) allows/continues to allow access to associated backend IoT services ( 406 ). If the gateway is not fully compliant ( 404 ), a policy-based responsive action is taken ( 408 ). In various embodiments, the responsive action may be indicated by a policy or other configuration data.
- a change in gateway security posture e.g., too much time since last check in, unauthorized app installed, unauthorized change to an app or its configuration, tampering with gateway, a sensor, apps, and/or drivers detected, etc.
- the nature and/or scope of the response may be determined programmatically based on the specific applicable security posture information. For example, a change to a state indicating that a particular sensor may have been tampered with may result in the security proxy or other node blocking data from that sensor only. Installation of an unauthorized and potentially malicious app on the gateway, by contrast, may result in all communications from that gateway being blocked and/or quarantined.
- FIG. 5 is a flow chart illustrating an embodiment of a process to perform security posture and/or policy-based management and configuration of resources comprising or other associated with an IoT gateway.
- the process of FIG. 5 may be performed by a management server to provide a response to be implemented at a gateway based on security or other posture, configuration, and/or context information.
- the process of FIG. 5 may be implemented at an IoT gateway, such as by an edge agent installed on an IoT gateway, to provide a local response to security posture and/or other information.
- security posture, configuration, and/or context information are monitored ( 502 ).
- an edge agent may monitor the configuration of IoT smart apps, sensor drivers, sensors, and/or other resources comprising and/or otherwise associated with a gateway to detect configuration changes, tampering with physical sensors, connectors, or ports, etc.
- an edge agent may report posture, configuration, and context data, e.g., to a management server.
- posture, configuration, and/or context data may be provided by external sources, such as an administrator, or a third party system, such as an intrusion detection system or other security system.
- a managed IoT smart app may be configured to provide data in a different manner, to use an alternate sensor and/or sensor app, to suspend operation, to send data to a different destination, etc.
- FIG. 6 is a flow chart illustrating an embodiment of a process to perform policy, security, and/or context-based processing of data at an IoT gateway or other edge device.
- the process of FIG. 6 may be performed by an IoT smart app.
- sensor and/or other data is gathered and evaluated locally at the gateway ( 602 ).
- an IoT smart app may perform analysis, such as comparing sensor output values to a threshold, performing statistical analysis, etc. If a threshold or other trigger event is detected ( 604 ), applicable sensor and/or derived or otherwise related data may be aggregated, filtered, packaged, and/or compressed and then send to an associated backend service, e.g., via a security proxy. Processing continues until done ( 608 ), e.g. the IoT smart app stops running, there is no further sensor data to process, etc.
- FIG. 7 is a block diagram illustrating an embodiment of a system to provide containerized management of network connected devices.
- a given set of sensors are used by associated apps and sensor drivers to provide an illustrative example of an IoT service provided using techniques disclosed herein.
- Management server 702 and security proxy 706 cooperate, as disclosed herein, to provide managed access to a remote image service 714 .
- Client systems and/or devices 716 may access the service 714 to see, for example, images taken by a camera or other sensor installed at a remote physical location.
- IoT gateway 710 having operating system 712 running thereon may be installed at or near the monitored location.
- An edge agent (management app) 720 installed and running on gateway 710 manages a remote imaging app 722 , sensor driver 724 , and camera (sensor) driver 726 , each of which may comprise a containerized application running on gateway 710 .
- Sensor driver 724 functions as an I/O multiplexer for a serial I/O port 728 to which sensors 730 and 732 are connected.
- sensor 730 may be a push button while sensor 732 may be a motion and/or light detector.
- Camera driver 726 configures and manages access to a camera 736 connected to gateway 710 via a general purpose I/O 734 .
- Remote image app 722 accesses sensors 730 and 732 via sensor driver 724 , and camera 736 via camera driver 726 .
- Sensor driver 724 and/or camera driver 726 may be configured to allow access only selectively and/or subject to constraints specified in their own app configuration data.
- sensor driver 724 may be configured to provide to remote image app 722 access only to output data (e.g., click events) associated with push button 730 .
- remote image app 722 may be configured to subscribe, via sensor driver 724 , to click events generated by sensor driver 724 in response to receiving an indication via serial I/O 728 that the push button 730 has been pushed. In response to each occurrence of such a click event, remote image app 722 may be configured to request and obtain via camera driver 726 a burst comprising a prescribed number of images generated using camera 736 . The prescribed number may be indicated, for example, in app configuration data for one or both of the camera driver 726 and the remote imaging app 722 . Remote imaging app 722 may be configured to perform filtering, analysis, and/or other pre-processing of received image data.
- remote imaging app 722 may be configured to detect the presence (or not) of a face in an image, and to send to remote imaging service 714 only those images that contain a face. Or, remote imaging app 722 may be configured to judge image quality and send only a selected representative image of a certain quality. In yet another example, remote imaging app 722 may be configured to degrade image quality and/or otherwise reduce an associated data size prior to communicating an image to the remote imaging service 714 .
- management and security techniques disclosed herein may be applied to the example service shown in FIG. 7 .
- management server 702 may send updated posture information to security proxy 706 , prompting security proxy 706 to block access by remote image app 722 to remote image service 714 .
- an administrator may indicate via an administrative interface a desired change in app behavior, such as to change the number of images included in each burst.
- management server 702 may use edge agent 720 to change the configuration of one or both of remote image app 722 and camera driver 726 to implement the change.
- camera 736 may be replaced with a different physical device.
- a replacement driver for camera driver 726 may be downloaded, installed, and configured.
- the replacement driver may be configured to implement a physical or other interface to the new camera, while continue to expose a consistent interface to remote image app 722 , which in this example would not be required to be updated and/or reconfigured.
- FIG. 8 is a block diagram illustrating an embodiment of a system to provision and configure an IoT gateway and/or associated resources.
- a management server 802 and security proxy 806 cooperate to provide managed access to IoT services 814 by IoT smart applications running on IoT gateway 810 having operating system 812 running thereon.
- management is performed at least in part via an edge agent 820 installed on gateway 810 .
- Edge agent 820 configures and otherwise manages containerized applications running on gateway 810 , such as image app 822 , button (sensor) driver 824 associated with button sensor 830 , and camera (sensor) driver 826 associated with camera 836 , in this example, through communications sent via a secure connection bus.
- an IoT application store paradigm, platform, and interface 816 is provided to enable IoT smart apps, sensor drivers, and other resources to be installed on a managed IoT gateway, such as gateway 810 .
- IoT application store interface 816 displays in dashed, outline, shadow, or other less prominently visible form icons representing containerized applications that have already been installed on gateway 810 . Additional applications (temp driver, alarm app) that have not (yet) been installed on gateway 810 are displayed using solid lines.
- an IoT app store may be implemented as a software distribution registry or similar repository.
- Each application icon displayed via the app store interface such as interface 816 in the example shown, may be associated with a corresponding downloadable software image or similar encapsulation of data required to build and run a container. Selection of an application that has not been installed may result in the corresponding image being pulled to the associated IoT gateway, which may then use the image or other data to install and run a corresponding instance of an associated containerized application.
- apps and sensor drivers shown in and described above in connection with FIGS. 7 and 8 are illustrative examples of apps and sensor drivers that may be used in the application agnostic architecture and approach disclosed herein. Limitless other apps, sensors drivers, and associated services may be conceived and implemented using techniques disclosed herein.
- applications made available via an IoT app store as disclosed herein may comprise a subset of applications included in a master inventory of applications.
- the applications in the inventory may be filtered based on information associated with the gateway, such as a role or other data associated with an enterprise or other user with which the gateway is associated; a location or other attribute associated with the gateway; security or other posture information; group or other designation with which the gateway is associated; sensors detected to be connected to the gateway; etc.
- apps, sensor drivers, and/or other IoT gateway apps and tools may be developed by application developers.
- a software development kit (SDK), application programming interface (API), open source code repository, and/or other tools and resources may be provided to facilitate the development and/or improvement of IoT gateway apps and drivers.
- SDK software development kit
- API application programming interface
- open source code repository open source code repository
- other tools and resources may be provided to facilitate the development and/or improvement of IoT gateway apps and drivers.
- a developer associated with an enterprise, or a third party developer may create a new or adapted sensor driver to enable a new type, make, or model of sensor to be used by one or more other IoT gateway apps and/or associated services.
- Apps, sensor drivers, and other code developed by third parties may be submitted for review and approval, and may be made available to be downloaded from an IoT gateway app store upon a determination being made that the app, sensor driver, etc. functions as intended and contains no malicious or otherwise risky or vulnerable code.
- secure, managed access to backend services may be provided to applications and other resources comprising or otherwise associated with IoT devices.
- a smart device such as a smart appliance
- a separate hardware such as a Raspberry PiTM or other device, may not be required.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Computing Systems (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
- Telephonic Communication Services (AREA)
Abstract
Description
- This application claims priority to U.S. Provisional Patent Application No. 62/222,029 entitled CONTAINERIZED ARCHITECTURE TO MANAGE INTERNET-CONNECTED DEVICES filed Sep. 22, 2015 which is incorporated herein by reference for all purposes.
- It is anticipated that the “Internet of Things” (“IoT”) revolution will encompass innumerable, specialized, non-software innovations, including without limitation in sensor technologies, power consumption, and data transmission and receipt.
- As used herein, the term “Internet of Things” or “IoT” refers to physical objects having embedded hardware and/or software and network connectivity, e.g., via the Internet, to other such objects and/or other nodes, services, systems, etc. Emerging examples include sensors, security devices, household appliances, entertainment components, and personal electronics, but the Internet of Things could include any physical object.
- IoT devices may be configured to sense the physical environment, may comprise edge devices that perform data acquisition from the physical environment, and/or may change the physical environment, among other activities. IoT devices may communicate over IP(v6) and/or other protocols.
- Various embodiments of the invention are disclosed in the following detailed description and the accompanying drawings.
-
FIG. 1 is a block diagram illustrating an embodiment of a system to provide containerized management of network connected devices. -
FIG. 2 is a block diagram illustrating an embodiment of a system to provide containerized management of network connected devices. -
FIG. 3 is a flow chart illustrating an embodiment of a process to provision and configure an IoT gateway. -
FIG. 4 is a flow chart illustrating an embodiment of a process to provide security posture and/or policy-based access to backend services. -
FIG. 5 is a flow chart illustrating an embodiment of a process to perform security posture and/or policy-based management and configuration of resources comprising or other associated with an IoT gateway. -
FIG. 6 is a flow chart illustrating an embodiment of a process to perform policy, security, and/or context-based processing of data at an IoT gateway or other edge device. -
FIG. 7 is a block diagram illustrating an embodiment of a system to provide containerized management of network connected devices. -
FIG. 8 is a block diagram illustrating an embodiment of a system to provision and configure an IoT gateway and/or associated resources. - The invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the invention. Unless stated otherwise, a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task. As used herein, the term ‘processor’ refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions.
- A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details. For the purpose of clarity, technical material that is known in the technical fields related to the invention has not been described in detail so that the invention is not unnecessarily obscured.
- A containerized architecture to manage Internet-connected client devices, such as IoT devices, is disclosed. In various embodiments, containerization technology provides an isolated, resource controlled, and portable environment in which to run apps, applications, or other code. In various embodiments, sensors or other IoT devices may be managed and provided network connectivity via an IoT gateway. Sensors may be virtualized, be managed, including by controlling access to such sensors by IoT or other applications and services, and a secure identity may be provided to each sensor. An “edge agent” or other software may be installed on an IoT gateway to provision, secure, and manage the gateway, associated sensors, and applications installed on the gateway. The applications may comprise “smart” applications configured to use sensors associated with the gateway to invoke and use sensors, such as to gather data. Sensors may be invoked via specialized software, sometimes referred to herein as containerized “sensor drivers”, which may be configured to provide secure (controlled) access to sensor via a consistent API or other interface, regardless of the physical sensor.
- A containerization architecture, such as the Linux Containers (LXC) running on Linux™ operating system, may be used to provide a resource controlled environment for isolation. For examples, smart or other IoT apps, sensor drivers, and the edge agent may each run in a separate container on the IoT gateway. The edge agent may run in a container have higher level privileges and may be configured and used, via a remote Enterprise Mobility Management (EMM) or other management server, to manage and control the installation of sensor drivers, apps, and other resources on the IoT gateway, and to configures such apps and other resources to implement policies set by an administrative user.
- In various embodiments, the apps may be configured to access backend services, such as IoT services, enterprise app services, etc., only via a security proxy. The security proxy may be configured to provide access according to configuration and/or state information, including gateway and/or other security or other posture information.
-
FIG. 1 is a block diagram illustrating an embodiment of a system to provide containerized management of network connected devices. In the example shown, integrated device management system andenvironment 100 includes amanagement server 102, e.g., an enterprise mobility management (EMM) or other server configured to manage IoT devices, applications, and services as disclosed herein. In the example shown,management server 102 also performs mobile device management with respect tomobile devices 104, which may include smartphones, tablets, laptops, or other mobile computing devices. A uniform user interface may be used to control front-end devices by using EMM for IoT. - In various embodiments,
management server 102 may managemobile devices 104 by performing one or more of facilitating or requiring device registration; configuring devices and/or applications or other resources installed thereon; installing, provisioning, and/or configuring a management agent (e.g., a management application or app) on the device; and receiving, determining, and/or processing security or other state information to determine a security posture of eachdevice 104.Management server 102 may interact withsecurity proxy 106 to provide managed access tobackend services 108. For example, backend servers on an enterprise network may provideenterprise services 108.Security proxy 106 may be configured to provide secure access tobackend services 108 by users ofdevices 104. In various embodiments, for eachdevice 104 access may be managed (e.g., provided without restriction, provided subject to restrictions, or blocked) bysecurity proxy 106 based on state and/or context information, including by way of example and without limitation a security posture of thedevice 104 as indicated bymanagement server 102, a global security state or information, and context information such as time of day, current geographic location of thedevice 104, etc. - In the example shown,
management server 102 andsecurity proxy 106 in addition manage IoT devices associated with anIoT gateway 110. In the example shown, IoTgateway 110 serves as a gateway node for a plurality of associatedsensors 112.Sensors 112 may include any physical sensing device, including without limitation environmental (e.g., temperature, wind) sensors; optical sensors, such as a camera or photodiode; audio sensors, such as a microphone; smell sensors; vibration or other motion detector; seals or other tamper detection devices; biometric input devices such as hand, retina, and fingerprint scanners; and manual input devices such as buttons, knobs, levers, keypads, etc.; or any other device capable to detecting a value or event taking place in a physical space in which the device is located and/or capable of being altered by or altering a physical environment in which the device is located. - In the example shown,
management server 102 andsecurity proxy 106 cooperate to provide managed access to IoTservices 114. For example, access todevices 112 may be managed at least in part by installing on IoTgateway 110 and configuring one or more apps configured to control one or more ofsensors 112; consume data or other output or signal data generated by sensors; and/or interact viasensors 112 with a physical space in whichsensors 112 may be located.Security proxy 106 may be configured to terminate a secure connection, such as a tunnel connection, to thegateway 110 and/or one or more applications or other entities installed ongateway 110.Security proxy 110 may be configured to use secure connections to backendIoT services 114 to proxy connections and/or communications between apps ongateway 110 and backendIoT services 114. - Examples of IoT
services 114 may include, without limitation, services that consume and use data generated bysensors 112 to expose related (e.g., reporting, monitoring, analysis) services to client devices and/or systems associated with users ofsuch services 114. For example,temperature sensors 112 may be used to monitor the temperature in a plurality of physical locations, each associated with acorresponding IoT gateway 110. Apps on therespective gateways 110 may report data to acorresponding IoT service 114 viasecurity proxy 106. The IoT service may analyze the data, aggregate and report the data, generate alerts based on the data, etc., and provide related information or other services to local or remote client devices and systems (not shown inFIG. 1 ). - In various embodiments, access by apps running on IoT
gateway 110 to backend IoT (or other)services 114 may be managed bysecurity proxy 106 in the same way (or similar ways) as access bymobile devices 104 toenterprise services 108. For example, in some embodiments, access may be managed at least in part by enforcing one or more policies, including without limitation by taking into consideration sensor and/or gateway security or other state or posture information, threat detection from anomalous sensor data behavior, and context data such as time of day, day of the week, etc. -
FIG. 2 is a block diagram illustrating an embodiment of a system to provide containerized management of network connected devices. In the example shown,management server 202 andsecurity proxy 206 cooperate to provide managed access toIoT services 214 by apps, sensors, and/or other resources comprising and/or otherwise associated withIoT gateway 210.IoT gateway 210 has installed thereon a management agent identified inFIG. 2 asedge agent 220.Edge agent 220 may be installed onIoT gateway 210 by/from an app store, which may be hosted onmanagement server 202 in some embodiments, and configured bymanagement server 202 to be used to manage other resources on and/or associated withgateway 210 as disclosed herein. In various embodiments,gateway 210 may comprise a lightweight computing device comprising one or more processors; memory devices; power modules and components such as batteries, power supplies, etc.; communication buses and connections; physical ports and traces or wires to connect such ports to other components; etc. In some embodiments,gateway 210 may be a Raspberry Pi™ or similar lightweight, low cost computing device. -
Edge agent 220 is configured in various embodiments to install, configure, and manage apps installed ongateway 210, such as IoTsmart apps 222 andsensor drivers 224 in the example shown.Sensor drivers 224 each may comprise a specialized app that performs security, admin, and management functions beyond those performed by traditional driver software. In various embodiments,sensor drivers 224 are configured to provide access to a corresponding one or more ofsensors 226 via a consistent, easy-to-use, well-published API or other interface.Sensor drivers 224 may provide toapps 222 secure and/or managed access tosensors 226 and/or data provided bysensors 226. In various embodiments,sensor drivers 224 may preventapps 222 from altering a configuration or operation ofsensors 226. For example,edge agent 220 may configuresensor drivers 224 to configure, operate, and/or manage access tosensors 226 in a manner specified by a policy or other configuration data, such as administrative commands entered via an interface ofmanagement server 202.Sensor drivers 224 may serve as an input/output multiplexer for physical port (not shown inFIG. 2 ) ofgateway 210.Sensor drivers 224 may allow administrative commands, policies, etc. to be used to control which business apps are allowed to communicate with which sensors. In some embodiments, sensor drivers such assensor drivers 224 may be downloaded from an authorized (e.g., enterprise-managed) app store, and may be updated and/or managed in the same manner as other apps. -
Edge agent 220,smart apps 222, andsensor drivers 224 each may comprise a containerized application running in a container provided ongateway 210 using a containerization platform, architecture, and/or technology, such as Linux Containers (linuxcontainers.org).Edge agent 220 may comprise a privileged containerized application. For example,edge agent 220 may run in a container that includes capabilities required to manageapps 222 and/orsensor drivers 224, as disclosed herein. In various embodiments, each containerized application (e.g.,edge agent 220,apps 222, and drivers 224) runs on top of anoperating system 228, such as the Linux™ operating system. - In various embodiments, managed
apps 222 may be configured to provide toIoT services 214, viasecurity proxy 206, data comprising and/or derived from output ofsensors 226. In various embodiments, data may be aggregated, filtered, selectively reported, compressed, encrypted, and/or otherwise pre-processed by one or more ofapps 222, resulting in less data and/or value added data being communicated toIoT services 214, resulting in consumption of less network communication and backend storage and processing resources than may have been required or consumed absent such pre-processing. - In another example of gateway-side processing,
sensor drivers 224 may be configured to detect tampering, failure, or other state or contextdata affecting sensors 226. In various embodiments,sensor drivers 224 may be configured to report such information tomanagement server 202, which may in response update a security posture and/or other state and/or context data associated with the affected sensor, thegateway 210, and/or applicable ones ofapps 222 installed thereon. For example,apps 222 may be prevented from sending toIoT services 214 data obtained from a potentially compromisedsensor 226, either by changing the behavior of the app 222 (for example, by usingedge agent 220 to change the app's configuration data) or by blocking or stripping such data atsecurity proxy 206, e.g., in response to security posture information received frommanagement server 202. -
FIG. 3 is a flow chart illustrating an embodiment of a process to provision and configure an IoT gateway. In various embodiments, the process ofFIG. 3 may be implemented by a management server, such asmanagement server 102 ofFIG. 1 ormanagement server 202 ofFIG. 2 , to provide an IoT gateway device, such asgateway 110 ofFIG. 1 orgateway 210 ofFIG. 2 . In the example shown, an IoT gateway is pre-registered (302). For example, an administrative user may use a web-based or other interface of a management server, such asmanagement servers - The gateway is provisioned (308). For example, an image or other encapsulation of an IoT gateway as disclosed herein may be downloaded and installed on a hardware device comprising the gateway. An operating system may be installed, configured, and/or brought under management. In some embodiments, the IoT gateway disclosed herein may itself be a containerized application, such as a Linux container, within which a other containerization environment is run that includes containerized apps such as smart IoT apps and/or sensor drivers. In some embodiments, provisioning the gateway may include one or more of providing an identify, such as via a certificate, providing policy and/or configuration data to be enforced locally, connecting the gateway to an associated security proxy, etc.
- In various embodiments, containerized apps, such as IoT smart apps, and sensor drivers, may be installed and configured on an IoT gateway as disclosed herein. For example, the management server and edge agent may cooperate to install one or more smart apps and/or one or more sensor driver apps on the gateway, and to configure such apps according to applicable policies. In some embodiments, the smart apps and/or sensor drivers each may comprise a containerized app that is downloaded to the gateway in the form of a containerization-friendly binary image or similar encapsulation, obtained from an associated universally accessible resource such as an image registry, such as one installed on and/or otherwise associated with the management server.
-
FIG. 4 is a flow chart illustrating an embodiment of a process to provide security posture and/or policy-based access to backend services. In various embodiments, the process ofFIG. 4 may be implemented by a security proxy, such asproxy 106 ofFIG. 1 orproxy 206 ofFIG. 2 . In the example shown, IoT gateway (and/or associated) posture information is received (402). In some embodiments, a security proxy may receive posture information from a management server. For example, if the management server detects a change in gateway security posture—e.g., too much time since last check in, unauthorized app installed, unauthorized change to an app or its configuration, tampering with gateway, a sensor, apps, and/or drivers detected, etc.—the management server may notify thesecurity proxy 106 of the updated posture of the gateway. If the gateway is/remains fully compliant (404), the security proxy (or other node) allows/continues to allow access to associated backend IoT services (406). If the gateway is not fully compliant (404), a policy-based responsive action is taken (408). In various embodiments, the responsive action may be indicated by a policy or other configuration data. The nature and/or scope of the response may be determined programmatically based on the specific applicable security posture information. For example, a change to a state indicating that a particular sensor may have been tampered with may result in the security proxy or other node blocking data from that sensor only. Installation of an unauthorized and potentially malicious app on the gateway, by contrast, may result in all communications from that gateway being blocked and/or quarantined. -
FIG. 5 is a flow chart illustrating an embodiment of a process to perform security posture and/or policy-based management and configuration of resources comprising or other associated with an IoT gateway. In some embodiments, the process ofFIG. 5 may be performed by a management server to provide a response to be implemented at a gateway based on security or other posture, configuration, and/or context information. In some embodiments, the process ofFIG. 5 may be implemented at an IoT gateway, such as by an edge agent installed on an IoT gateway, to provide a local response to security posture and/or other information. - In the example shown, security posture, configuration, and/or context information are monitored (502). For example, an edge agent may monitor the configuration of IoT smart apps, sensor drivers, sensors, and/or other resources comprising and/or otherwise associated with a gateway to detect configuration changes, tampering with physical sensors, connectors, or ports, etc. In some embodiments, an edge agent may report posture, configuration, and context data, e.g., to a management server. In some embodiments, posture, configuration, and/or context data may be provided by external sources, such as an administrator, or a third party system, such as an intrusion detection system or other security system.
- If received security posture, configuration, and/or context data indicates that a change in app and/or driver (or other) configuration data at a gateway is to be made (504), the indicated change is made via the edge agent (506). For example, a managed IoT smart app may be configured to provide data in a different manner, to use an alternate sensor and/or sensor app, to suspend operation, to send data to a different destination, etc.
- Monitoring (502) and taking responsive actions as/if required (504, 506) continue until the process is done (508), e.g., the gateway is taken out of service for maintenance.
-
FIG. 6 is a flow chart illustrating an embodiment of a process to perform policy, security, and/or context-based processing of data at an IoT gateway or other edge device. In various embodiments, the process ofFIG. 6 may be performed by an IoT smart app. In the example shown, sensor and/or other data is gathered and evaluated locally at the gateway (602). For example, an IoT smart app may perform analysis, such as comparing sensor output values to a threshold, performing statistical analysis, etc. If a threshold or other trigger event is detected (604), applicable sensor and/or derived or otherwise related data may be aggregated, filtered, packaged, and/or compressed and then send to an associated backend service, e.g., via a security proxy. Processing continues until done (608), e.g. the IoT smart app stops running, there is no further sensor data to process, etc. -
FIG. 7 is a block diagram illustrating an embodiment of a system to provide containerized management of network connected devices. In the example shown, a given set of sensors are used by associated apps and sensor drivers to provide an illustrative example of an IoT service provided using techniques disclosed herein.Management server 702 andsecurity proxy 706 cooperate, as disclosed herein, to provide managed access to aremote image service 714. Client systems and/ordevices 716 may access theservice 714 to see, for example, images taken by a camera or other sensor installed at a remote physical location.IoT gateway 710 havingoperating system 712 running thereon may be installed at or near the monitored location. An edge agent (management app) 720 installed and running ongateway 710 manages aremote imaging app 722,sensor driver 724, and camera (sensor)driver 726, each of which may comprise a containerized application running ongateway 710.Sensor driver 724 functions as an I/O multiplexer for a serial I/O port 728 to whichsensors sensor 730 may be a push button whilesensor 732 may be a motion and/or light detector.Camera driver 726 configures and manages access to acamera 736 connected togateway 710 via a general purpose I/O 734. -
Remote image app 722accesses sensors sensor driver 724, andcamera 736 viacamera driver 726.Sensor driver 724 and/orcamera driver 726 may be configured to allow access only selectively and/or subject to constraints specified in their own app configuration data. For example,sensor driver 724 may be configured to provide toremote image app 722 access only to output data (e.g., click events) associated withpush button 730. - By way of example,
remote image app 722 may be configured to subscribe, viasensor driver 724, to click events generated bysensor driver 724 in response to receiving an indication via serial I/O 728 that thepush button 730 has been pushed. In response to each occurrence of such a click event,remote image app 722 may be configured to request and obtain via camera driver 726 a burst comprising a prescribed number of images generated usingcamera 736. The prescribed number may be indicated, for example, in app configuration data for one or both of thecamera driver 726 and theremote imaging app 722.Remote imaging app 722 may be configured to perform filtering, analysis, and/or other pre-processing of received image data. For example,remote imaging app 722 may be configured to detect the presence (or not) of a face in an image, and to send toremote imaging service 714 only those images that contain a face. Or,remote imaging app 722 may be configured to judge image quality and send only a selected representative image of a certain quality. In yet another example,remote imaging app 722 may be configured to degrade image quality and/or otherwise reduce an associated data size prior to communicating an image to theremote imaging service 714. - In various embodiments, management and security techniques disclosed herein may be applied to the example service shown in
FIG. 7 . For example, upon detecting a change in the security posture ofgateway 710,management server 702 may send updated posture information tosecurity proxy 706, promptingsecurity proxy 706 to block access byremote image app 722 toremote image service 714. In another example, an administrator may indicate via an administrative interface a desired change in app behavior, such as to change the number of images included in each burst. In response,management server 702 may useedge agent 720 to change the configuration of one or both ofremote image app 722 andcamera driver 726 to implement the change. In yet another example,camera 736 may be replaced with a different physical device. In response, a replacement driver forcamera driver 726 may be downloaded, installed, and configured. The replacement driver may be configured to implement a physical or other interface to the new camera, while continue to expose a consistent interface toremote image app 722, which in this example would not be required to be updated and/or reconfigured. -
FIG. 8 is a block diagram illustrating an embodiment of a system to provision and configure an IoT gateway and/or associated resources. In the example shown, amanagement server 802 andsecurity proxy 806 cooperate to provide managed access toIoT services 814 by IoT smart applications running onIoT gateway 810 havingoperating system 812 running thereon. As in previous examples, management is performed at least in part via anedge agent 820 installed ongateway 810.Edge agent 820 configures and otherwise manages containerized applications running ongateway 810, such asimage app 822, button (sensor)driver 824 associated withbutton sensor 830, and camera (sensor)driver 826 associated withcamera 836, in this example, through communications sent via a secure connection bus. - In the example shown in
FIG. 8 , an IoT application store paradigm, platform, andinterface 816 is provided to enable IoT smart apps, sensor drivers, and other resources to be installed on a managed IoT gateway, such asgateway 810. In this example, IoTapplication store interface 816 displays in dashed, outline, shadow, or other less prominently visible form icons representing containerized applications that have already been installed ongateway 810. Additional applications (temp driver, alarm app) that have not (yet) been installed ongateway 810 are displayed using solid lines. - In various embodiments, an IoT app store may be implemented as a software distribution registry or similar repository. Each application icon displayed via the app store interface, such as
interface 816 in the example shown, may be associated with a corresponding downloadable software image or similar encapsulation of data required to build and run a container. Selection of an application that has not been installed may result in the corresponding image being pulled to the associated IoT gateway, which may then use the image or other data to install and run a corresponding instance of an associated containerized application. - The particular apps and sensor drivers shown in and described above in connection with
FIGS. 7 and 8 are illustrative examples of apps and sensor drivers that may be used in the application agnostic architecture and approach disclosed herein. Limitless other apps, sensors drivers, and associated services may be conceived and implemented using techniques disclosed herein. - In various embodiments, applications made available via an IoT app store as disclosed herein may comprise a subset of applications included in a master inventory of applications. For example, the applications in the inventory may be filtered based on information associated with the gateway, such as a role or other data associated with an enterprise or other user with which the gateway is associated; a location or other attribute associated with the gateway; security or other posture information; group or other designation with which the gateway is associated; sensors detected to be connected to the gateway; etc.
- In various embodiments, apps, sensor drivers, and/or other IoT gateway apps and tools may be developed by application developers. In some embodiments, a software development kit (SDK), application programming interface (API), open source code repository, and/or other tools and resources may be provided to facilitate the development and/or improvement of IoT gateway apps and drivers. For example, a developer associated with an enterprise, or a third party developer, may create a new or adapted sensor driver to enable a new type, make, or model of sensor to be used by one or more other IoT gateway apps and/or associated services. Apps, sensor drivers, and other code developed by third parties may be submitted for review and approval, and may be made available to be downloaded from an IoT gateway app store upon a determination being made that the app, sensor driver, etc. functions as intended and contains no malicious or otherwise risky or vulnerable code.
- Using techniques disclosed herein, secure, managed access to backend services may be provided to applications and other resources comprising or otherwise associated with IoT devices.
- While in a number of examples described herein external sensors connected to a gateway via a physical connection port are described, techniques disclosed herein may be applied as well to manage access to, configuration of, and use of internal sensors of the gateway device. In various embodiments, a smart device, such as a smart appliance, may be configured to serve as an IoT gateway as disclosed herein. In such implementations, a separate hardware, such as a Raspberry Pi™ or other device, may not be required.
- Although the foregoing embodiments have been described in some detail for purposes of clarity of understanding, the invention is not limited to the details provided. There are many alternative ways of implementing the invention. The disclosed embodiments are illustrative and not restrictive.
Claims (20)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/270,948 US10374869B2 (en) | 2015-09-22 | 2016-09-20 | Containerized architecture to manage internet-connected devices |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201562222029P | 2015-09-22 | 2015-09-22 | |
US15/270,948 US10374869B2 (en) | 2015-09-22 | 2016-09-20 | Containerized architecture to manage internet-connected devices |
Publications (2)
Publication Number | Publication Date |
---|---|
US20170099176A1 true US20170099176A1 (en) | 2017-04-06 |
US10374869B2 US10374869B2 (en) | 2019-08-06 |
Family
ID=58387113
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/270,948 Active 2037-03-14 US10374869B2 (en) | 2015-09-22 | 2016-09-20 | Containerized architecture to manage internet-connected devices |
Country Status (2)
Country | Link |
---|---|
US (1) | US10374869B2 (en) |
WO (1) | WO2017053319A1 (en) |
Cited By (25)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170134500A1 (en) * | 2015-11-09 | 2017-05-11 | Admobilize Llc. | System and method for creating operating systems to network physical objects or things |
US10103964B2 (en) * | 2016-06-17 | 2018-10-16 | At&T Intellectual Property I, L.P. | Managing large volumes of event data records |
TWI646434B (en) * | 2017-04-24 | 2019-01-01 | 宏碁股份有限公司 | Cloud management system and device configuration method thereof |
US10320613B1 (en) * | 2015-08-11 | 2019-06-11 | Cisco Technology, Inc. | Configuring contextually aware IoT policies |
US10333733B2 (en) * | 2017-03-20 | 2019-06-25 | Vmware, Inc. | Controlling proxy devices through a managed gateway |
US10374869B2 (en) * | 2015-09-22 | 2019-08-06 | Mobile Iron, Inc. | Containerized architecture to manage internet-connected devices |
US10469600B2 (en) * | 2017-11-14 | 2019-11-05 | Dell Products, L.P. | Local Proxy for service discovery |
US10681544B2 (en) | 2018-03-12 | 2020-06-09 | Cypress Semiconductor Corporation | Devices, systems and methods for connecting and authenticating local devices to common gateway device |
US20200213395A1 (en) * | 2018-12-31 | 2020-07-02 | Itron, Inc. | Application Management Service |
CN111917588A (en) * | 2020-08-10 | 2020-11-10 | 南方电网数字电网研究院有限公司 | Edge device management method, device, edge gateway device and storage medium |
US10848495B2 (en) | 2018-02-18 | 2020-11-24 | Cisco Technology, Inc. | Internet of things security system |
US10893116B1 (en) | 2019-07-03 | 2021-01-12 | Nutanix, Inc. | Apparatuses and methods for edge computing application deployment in an IoT system |
JP2021005270A (en) * | 2019-06-27 | 2021-01-14 | IoT−EX株式会社 | Iot connection system, information processing method, and computer program |
US20210029156A1 (en) * | 2018-08-10 | 2021-01-28 | Amazon Technologies, Inc. | Security monitoring system for internet of things (iot) device environments |
US10999269B2 (en) * | 2015-12-04 | 2021-05-04 | Samsara Networks Inc. | Authentication of a gateway device in a sensor network |
US11140144B2 (en) * | 2017-01-19 | 2021-10-05 | Saison Information Systems Co., Ltd. | IoT data collection system, IoT data collection method, management device, management program, agent device, and agent program |
US20220046094A1 (en) * | 2018-09-14 | 2022-02-10 | Spectrum Brands, Inc. | System and method of establishing server connections to internet of things devices, including electronic locks |
US11277495B2 (en) * | 2018-12-10 | 2022-03-15 | Electronics And Telecommunications Research Institute | System and method for providing microservice-based device control interface |
US11381575B2 (en) | 2019-05-03 | 2022-07-05 | Microsoft Technology Licensing, Llc | Controlling access to resources of edge devices |
WO2022215086A1 (en) * | 2021-04-07 | 2022-10-13 | Karmarkar Sameer Madhusudan | System and method for containerization of internet of things devices |
US11501881B2 (en) | 2019-07-03 | 2022-11-15 | Nutanix, Inc. | Apparatus and method for deploying a mobile device as a data source in an IoT system |
US11635990B2 (en) | 2019-07-01 | 2023-04-25 | Nutanix, Inc. | Scalable centralized manager including examples of data pipeline deployment to an edge system |
US11665221B2 (en) | 2020-11-13 | 2023-05-30 | Nutanix, Inc. | Common services model for multi-cloud platform |
US11726764B2 (en) | 2020-11-11 | 2023-08-15 | Nutanix, Inc. | Upgrade systems for service domains |
US11736585B2 (en) | 2021-02-26 | 2023-08-22 | Nutanix, Inc. | Generic proxy endpoints using protocol tunnels including life cycle management and examples for distributed cloud native services and applications |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10873567B2 (en) * | 2017-06-26 | 2020-12-22 | Open Text Corporation | Systems and methods for providing communications between on-premises servers and remote devices |
FR3073302A1 (en) * | 2017-11-08 | 2019-05-10 | STMicroelectronics (Grand Ouest) SAS | METHOD AND DEVICE FOR MONITORING AT LEAST ONE ACTIVITY OF A CONNECTED OBJECT |
GB2568871B (en) * | 2017-11-23 | 2021-09-22 | Advanced Risc Mach Ltd | Devices and methods for control of internet of things (IoT) devices |
GB2568873B (en) * | 2017-11-23 | 2021-09-22 | Advanced Risc Mach Ltd | Distributed management system for internet of things devices and methods thereof |
US11388195B1 (en) * | 2019-02-02 | 2022-07-12 | Clearops, Inc. | Information security compliance platform |
US10848567B1 (en) * | 2019-11-29 | 2020-11-24 | Cygnus, LLC | Remote support for IoT devices |
US20220172825A1 (en) * | 2020-11-28 | 2022-06-02 | GE Precision Healthcare LLC | Medical scanner application platform |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150113627A1 (en) * | 2013-10-17 | 2015-04-23 | Arm Ip Limited | Method for assigning an agent device from a first device registry to a second device registry |
US20150172215A1 (en) * | 2013-12-18 | 2015-06-18 | ContinnumBridge Limited | Apparatus for Network Bridging |
US20150347114A1 (en) * | 2014-05-28 | 2015-12-03 | Samsung Electronics Co., Ltd. | Apparatus and method for controlling internet of things devices |
US20160094421A1 (en) * | 2014-09-25 | 2016-03-31 | Oracle International Corporation | Platform for capturing, processing, storaging, and presentation of generic sensor data from remote arbitrary locations |
US20160142906A1 (en) * | 2014-11-17 | 2016-05-19 | Samsung Electronics Co., Ltd. | Apparatus and method for profile installation in communication system |
US20160147506A1 (en) * | 2014-11-21 | 2016-05-26 | Kiban Labs, Inc. | Internet of things platforms, apparatuses, and methods |
US20170005456A1 (en) * | 2014-07-08 | 2017-01-05 | Grigori Broudno | High Efficiency Spark Plug |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007022432A2 (en) * | 2005-08-18 | 2007-02-22 | Emc Corporation | Compliance processing of rights managed data |
US8104077B1 (en) * | 2006-01-03 | 2012-01-24 | Symantec Corporation | System and method for adaptive end-point compliance |
KR101932821B1 (en) | 2013-07-24 | 2018-12-27 | 콘비다 와이어리스, 엘엘씨 | Service domain charging systems and methods |
US9742840B2 (en) * | 2013-12-20 | 2017-08-22 | Siemens Aktiengesellschaft | Integration of user interfaces for different physically distributed medical applications |
US9729330B2 (en) * | 2015-08-21 | 2017-08-08 | Samsung Electronics Co., Ltd. | Secure pairing of eHealth devices and authentication of data using a gateway device having secured area |
US10374869B2 (en) * | 2015-09-22 | 2019-08-06 | Mobile Iron, Inc. | Containerized architecture to manage internet-connected devices |
-
2016
- 2016-09-20 US US15/270,948 patent/US10374869B2/en active Active
- 2016-09-20 WO PCT/US2016/052701 patent/WO2017053319A1/en active Application Filing
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150113627A1 (en) * | 2013-10-17 | 2015-04-23 | Arm Ip Limited | Method for assigning an agent device from a first device registry to a second device registry |
US20150172215A1 (en) * | 2013-12-18 | 2015-06-18 | ContinnumBridge Limited | Apparatus for Network Bridging |
US20150347114A1 (en) * | 2014-05-28 | 2015-12-03 | Samsung Electronics Co., Ltd. | Apparatus and method for controlling internet of things devices |
US20170005456A1 (en) * | 2014-07-08 | 2017-01-05 | Grigori Broudno | High Efficiency Spark Plug |
US20160094421A1 (en) * | 2014-09-25 | 2016-03-31 | Oracle International Corporation | Platform for capturing, processing, storaging, and presentation of generic sensor data from remote arbitrary locations |
US20160142906A1 (en) * | 2014-11-17 | 2016-05-19 | Samsung Electronics Co., Ltd. | Apparatus and method for profile installation in communication system |
US20160147506A1 (en) * | 2014-11-21 | 2016-05-26 | Kiban Labs, Inc. | Internet of things platforms, apparatuses, and methods |
Cited By (32)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10320613B1 (en) * | 2015-08-11 | 2019-06-11 | Cisco Technology, Inc. | Configuring contextually aware IoT policies |
US10374869B2 (en) * | 2015-09-22 | 2019-08-06 | Mobile Iron, Inc. | Containerized architecture to manage internet-connected devices |
US20170134500A1 (en) * | 2015-11-09 | 2017-05-11 | Admobilize Llc. | System and method for creating operating systems to network physical objects or things |
US10999269B2 (en) * | 2015-12-04 | 2021-05-04 | Samsara Networks Inc. | Authentication of a gateway device in a sensor network |
US10516595B2 (en) | 2016-06-17 | 2019-12-24 | At&T Intellectual Property I, L.P. | Managing large volumes of event data records |
US10103964B2 (en) * | 2016-06-17 | 2018-10-16 | At&T Intellectual Property I, L.P. | Managing large volumes of event data records |
US11140144B2 (en) * | 2017-01-19 | 2021-10-05 | Saison Information Systems Co., Ltd. | IoT data collection system, IoT data collection method, management device, management program, agent device, and agent program |
US20190288869A1 (en) * | 2017-03-20 | 2019-09-19 | Vmware, Inc. | Controlling proxy devices through a managed gateway |
US10333733B2 (en) * | 2017-03-20 | 2019-06-25 | Vmware, Inc. | Controlling proxy devices through a managed gateway |
US11038710B2 (en) * | 2017-03-20 | 2021-06-15 | Vmware, Inc. | Controlling proxy devices through a managed gateway |
TWI646434B (en) * | 2017-04-24 | 2019-01-01 | 宏碁股份有限公司 | Cloud management system and device configuration method thereof |
US10469600B2 (en) * | 2017-11-14 | 2019-11-05 | Dell Products, L.P. | Local Proxy for service discovery |
US11658977B2 (en) | 2018-02-18 | 2023-05-23 | Cisco Technology, Inc. | Internet of Things security system |
US10848495B2 (en) | 2018-02-18 | 2020-11-24 | Cisco Technology, Inc. | Internet of things security system |
US10681544B2 (en) | 2018-03-12 | 2020-06-09 | Cypress Semiconductor Corporation | Devices, systems and methods for connecting and authenticating local devices to common gateway device |
US11153754B2 (en) | 2018-03-12 | 2021-10-19 | Cypress Semiconductor Corporation | Devices, systems and methods for connecting and authenticating local devices to common gateway device |
US20210029156A1 (en) * | 2018-08-10 | 2021-01-28 | Amazon Technologies, Inc. | Security monitoring system for internet of things (iot) device environments |
US11671499B2 (en) * | 2018-09-14 | 2023-06-06 | Spectrum Brands, Inc. | System and method of establishing server connections to internet of things devices, including electronic locks |
US20220046094A1 (en) * | 2018-09-14 | 2022-02-10 | Spectrum Brands, Inc. | System and method of establishing server connections to internet of things devices, including electronic locks |
US11277495B2 (en) * | 2018-12-10 | 2022-03-15 | Electronics And Telecommunications Research Institute | System and method for providing microservice-based device control interface |
US10834197B2 (en) * | 2018-12-31 | 2020-11-10 | Itron, Inc. | Application management service |
US20200213395A1 (en) * | 2018-12-31 | 2020-07-02 | Itron, Inc. | Application Management Service |
US11381575B2 (en) | 2019-05-03 | 2022-07-05 | Microsoft Technology Licensing, Llc | Controlling access to resources of edge devices |
JP2021005270A (en) * | 2019-06-27 | 2021-01-14 | IoT−EX株式会社 | Iot connection system, information processing method, and computer program |
US11635990B2 (en) | 2019-07-01 | 2023-04-25 | Nutanix, Inc. | Scalable centralized manager including examples of data pipeline deployment to an edge system |
US11501881B2 (en) | 2019-07-03 | 2022-11-15 | Nutanix, Inc. | Apparatus and method for deploying a mobile device as a data source in an IoT system |
US10893116B1 (en) | 2019-07-03 | 2021-01-12 | Nutanix, Inc. | Apparatuses and methods for edge computing application deployment in an IoT system |
CN111917588A (en) * | 2020-08-10 | 2020-11-10 | 南方电网数字电网研究院有限公司 | Edge device management method, device, edge gateway device and storage medium |
US11726764B2 (en) | 2020-11-11 | 2023-08-15 | Nutanix, Inc. | Upgrade systems for service domains |
US11665221B2 (en) | 2020-11-13 | 2023-05-30 | Nutanix, Inc. | Common services model for multi-cloud platform |
US11736585B2 (en) | 2021-02-26 | 2023-08-22 | Nutanix, Inc. | Generic proxy endpoints using protocol tunnels including life cycle management and examples for distributed cloud native services and applications |
WO2022215086A1 (en) * | 2021-04-07 | 2022-10-13 | Karmarkar Sameer Madhusudan | System and method for containerization of internet of things devices |
Also Published As
Publication number | Publication date |
---|---|
US10374869B2 (en) | 2019-08-06 |
WO2017053319A1 (en) | 2017-03-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10374869B2 (en) | Containerized architecture to manage internet-connected devices | |
KR102146034B1 (en) | User Interface For Security Protection And Remote Management Of Network Endpoints | |
CN107251514B (en) | Techniques for scalable security architecture for virtualized networks | |
US10148693B2 (en) | Exploit detection system | |
US9092616B2 (en) | Systems and methods for threat identification and remediation | |
US9015793B2 (en) | Hardware management interface | |
US10097572B1 (en) | Security for network computing environment based on power consumption of network devices | |
US11596008B2 (en) | System, method and computer program product for secure Bluetooth cryptography in a virtual mobile device platform | |
US9380562B1 (en) | System, method and computer program product for providing notifications from a virtual device to a disconnected physical device | |
US9667703B1 (en) | System, method and computer program product for generating remote views in a virtual mobile device platform | |
EP3884405B1 (en) | Secure count in cloud computing networks | |
US11909845B2 (en) | Methods and systems for managing applications of a multi-access edge computing environment | |
US20140181844A1 (en) | Hardware management interface | |
CN110463155A (en) | Enhance the integrality specific to the information of data center | |
Deng et al. | Towards trustworthy health platform cloud | |
US11689365B2 (en) | Centralized volume encryption key management for edge devices with trusted platform modules | |
US11228491B1 (en) | System and method for distributed cluster configuration monitoring and management | |
US20170187643A1 (en) | Virtual Cloud Security Managed By Reverse Avatars | |
Pühringer | Cloud computing for home automation | |
US20230261867A1 (en) | Centralized volume encryption key management for edge devices with trusted platform modules | |
US11611580B1 (en) | Malware infection detection service for IoT devices | |
US20230016069A1 (en) | Device data-at-rest security using extended volume encryption data | |
WO2024065816A1 (en) | High fidelity attestation-based artificial intelligence inference system | |
Bharti et al. | Attribute–Based Access Control for AWS Internet of Things-A | |
Zhou et al. | Logic bugs in IoT platforms and systems: A review |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: MOBILE IRON, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:JAIN, SANDEEP;REEL/FRAME:040761/0428 Effective date: 20161209 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT RECEIVED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
AS | Assignment |
Owner name: MORGAN STANLEY SENIOR FUNDING, INC., AS COLLATERAL AGENT, MARYLAND Free format text: SECURITY INTEREST;ASSIGNORS:CELLSEC, INC.;PULSE SECURE, LLC;IVANTI, INC.;AND OTHERS;REEL/FRAME:054665/0062 Effective date: 20201201 Owner name: BANK OF AMERICA, N.A., AS COLLATERAL AGENT, ILLINOIS Free format text: SECURITY INTEREST;ASSIGNORS:CELLSEC, INC.;PULSE SECURE, LLC;INVANTI, INC.;AND OTHERS;REEL/FRAME:054665/0873 Effective date: 20201201 |
|
AS | Assignment |
Owner name: IVANTI, INC., UTAH Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MOBILEIRON, INC.;REEL/FRAME:061327/0751 Effective date: 20220801 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 4 |